Install Portworx on Azure Red Hat OpenShift (ARO)



Find the ARO Service Principal

When deploying Portworx on Azure Redhat Openshift (ARO), the virtual machines are created in a resource group with a Deny Assignment role that prevents any service principal from accessing virtual machines except the service principal created for the resource group. In this task, you identify the service principal for the resource group that has access, and configure it to pass on the credentials (Azure Client ID, Azure Client Secret and Tennant ID) via the Portworx cluster spec. Portworx will fetch the px-azure secret object file to authenticate.

  1. From the Azure Web UI, select Virtual Machines in the upper right corner.
  2. From the Virtual machines page, select the Resource Group associated with your cluster.
  3. From the left panel on the Resource group page, select Access control (IAM).
  4. On the Access control (IAM) subpage of your resource group, select Deny assignments from the toolbar in the center of the page, then select the link under the Name column (this will likely be an autogenerated string of letters and numbers).
  5. This page shows that all principals are denied access, except for your resource group. Select your resource group’s name.
  6. From the application page, copy and save the following values:

    • Name
    • Application ID
    • Object ID

    You will use these to create the px-azure secret.

  7. From the home page, open the Azure Active Directory page (select All services to see the option). Select App registrations on the left pane, followed by All applications. In the search bar in the center of the page, paste the application name you saved in the previous step and hit the enter key. Select the application link that shows in the results to open the next page.

  8. From your application’s page, select Certificates & secrets from the left pane.

  9. From the Certificates & secrets page, select + New client secret to create a new secret.

  10. Use the Application ID and Object ID values from step 6 to create a new secret, and save this secret for future use.

Create the px-azure secret with Service Principal credentials

Create a secret called px-azure to give Portworx access to Azure APIs by updating the following fields with the associated fields from the service principal you created in the step above:

kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_TENANT_ID=<tenant> --from-literal=AZURE_CLIENT_ID=<appId> --from-literal=AZURE_CLIENT_SECRET=<password>
secret/px-azure created

Deploy Portworx

  1. Go to PX-Central to generate an installation spec.

  2. Click Continue with Portworx Enterprise option. PX option screen

  3. Choose an appropriate license for your requirement and click Continue. PX license screen

  4. Ensure that the Use the Portworx Operator option is selected and click Next. Basic screen

  5. Select Cloud as your environment, AZURE as cloud platform, and click Next. Your Environment

  6. Choose your network and click Next. Network

  7. Select Azure Kubernetes Service (AKS) option on the Customize page, and click Finish. Other environment

  8. Follow the instructions to install Portworx Operator. PX-Operator

  9. Download the Portworx spec as a YAML file, and append the osft=true and "true" values. Following is a sample spec for your reference.

    # SOURCE:
    kind: StorageCluster
      name: px-cluster-068edac2-6b76-4a58-9227-bbeccb6c0928
      namespace: kube-system
      annotations: "" "true" "true"
      image: portworx/oci-monitor:2.10.3
      imagePullPolicy: Always
        internal: true
        - type=Premium_LRS,size=150
        kvdbDeviceSpec: type=Premium_LRS,size=150
      secretsProvider: k8s
        enabled: true
          webhook-controller: "true"
        enabled: true
          enabled: true
          exportMetrics: true
        CSI: "true"
            name: px-azure
            key: AZURE_CLIENT_SECRET
      - name: AZURE_CLIENT_ID
            name: px-azure
            key: AZURE_CLIENT_ID
      - name: AZURE_TENANT_ID
            name: px-azure
            key: AZURE_TENANT_ID
  10. Use the kubectl -apply <portworx_enterprise.yaml> command to deploy Portworx.


Once you have a running Portworx installation, below sections are useful.

Last edited: Monday, Aug 15, 2022